Redirection, IE Ads playing music, games crashing

Before I review those logs (I may have to sleep soon it is almost 2am) let's have you do this because it MAY be a different version from what you tried.

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

Or you could try this copy TDSSK

 

Do you have your Vista install disc? If not:

Vista and Win7 Recovery disc

To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.

Then you can do this:

Bootrec.exe /fixmbr

Now continue with this:


Java(TM) 6 Update 20 <--- Uninstall outdated Java



Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15438&l=dis

After clicking Fix exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
C:\shoit
File::
C:\ProgramData\33545976
c:\users\ryan\AppData\Local\Xcusuze.bin
c:\users\ryan\AppData\Local\Fvutifuci.dat
c:\programdata\~33545976
c:\programdata\~33545976r
Folder::
c:\programdata\cE06509AhFnG06509

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Did you properly follow the instructions to run the bootrec.exe tool?

Which browser does the redirection occur in? (If firefox, does it also occur in IE ? and vice versa)

 

No, go back to post # 4 and follow instructions exactly up until the uninstall old java point. This, if done correctly, I am confident will address your redirection issues (MBR infection!)

 

You may want to try creating and using Hiren's CD to fix the MBR. See what was posted in message # 12 of the below thread and see if you can get this CD to run.

whistler/black internet@mbr again!

 

Damn, running out of options.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it.



Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop. Use the PC a while and tell me how it behaves. Any redirecting still? Post in your next reply.

 

OK, I might have been going the wrong way about this, it feels like an MBR infection as they are popular of late but perhaps it is your router that is infected. Do you use a router? :confused

 

Do the redirects occur when you use safe mode with networking?

Are you sure you reset the router properly? There are two buttons usually, for example on mine there is "restart" button and a "reset to defaults" If I was having redirection issues I would choose reset to defaults because just "reset" would not do anything. Can you verify this for me please with your router?

 

It's an option, but too easy an option, if you are willing, I would like to try and battle this out?

Without giving actual links, tell me what kind of sites you are being redirected to example: buyviagra.com

I think we might try resetting the hosts file:

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Any difference?

 

OK! Let me know. I need to sleep soon though.

 

This is frustrating, I so want to fix this for you.

Run this and attach the results.

Using ESET's Online Scanner

 

After that, start Firefox in it's safe mode.

Now tell me whether redirects occur in that mode.

In Internet Explorer : Click Start -> All Programs -> Accessories -> System Tools, and then click Internet Explorer (No Add-ons).

Do redirects occur this way?

 

Run TDSSKiller again at this point please? (Did you go to bed yet?) I am hoping that this will work as it should have been run directly after I repaired the MBR. Fingers crossed!!!!!! Attach the log.

Reboot the machine, surf... tell me if that blasted redirection has stopped or not.

 

I have a list prepared for many things to try to beat this thing!

Now let's flush the Java Cache

• Click Start > Settings > Control Panel
• Double click the Java icon (be patient, it may take a while to open)
• Now click the General tab and under the Temporary Internet File area
• Click the Settings button and then click the Delete Files... button.
• In the next popup click OK.

If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


Let's flush the FireFox Cache
To flush your FireFox Cache:

• click Tools
• select Options
• select Privacy
• in the section labeled Private Data click Clear Now

Flush the Internet Explorer Cache
To flush your Internet Explorer Cache:

• click Tools
• Internet Options
• Now on the General tab and click Delete Files and select Delete all Offline content too
• Click OK.
• When it finishes Click OK.

Change your DNS Servers:

• Go to Start > Run... and in the open box, type: cmd
• Press OK or Hit Enter.
• At the command prompt, type or copy/paste: ipconfig /flushdns
• Hit Enter.
• You will get a confirmation that the flush was successful.
• Close the command box.

If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address, then you may proceed.

Go to > Control Panel, and choose Network Connections.

• Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
• Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
• Under the General tab, write down any settings in case you should need to change them back.
• Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
• Select the button that says "Obtain DNS servers automatically".
• If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
• Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.

Vista Users can refer to this


Please run the Kaspersky Virus Removal Tool


Please run this Backdoor.Tidserv Removal Tool


Please download RogueKiller.exe and save it to your desktop.

• Now quit all running programs.
• Double click RogueKiller.exe to run it.
• When prompted, type 1 and hit Enter.
• A RKreport.txt should appear on your desktop.
• Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
• Please post the contents of the RKreport.txt in your next Reply.

Now try and run TDSSKiller again.

Are we making any progress yet? :confused

 

I am not about to get too excited, but this sounds like a little bit of progress finally! If it was unable to remove the infection, I don't know why your redirects have stopped, however, continue to let it scan. If it still has not got beyond 2% after about another half an hour then abort it and start going through the list of other things I gave you to try.

 

In fact, go through the rest of the list of things to try anyway. Just thought I would say that because it's bedtime again in a little while.

 

Well I cannot begin to describe how happy I am LOL Can we call it quits for tonight and not have you follow final steps until tomorrow after you have used the computer some more? I just want to be absolutely sure the bad has gone. :major

also do this after you have surfed around a bit more tomorrow.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

I am on UK time. OK. See you tomorrow.

 

Excellent!

What exactly did it find I am curious to see the results? I was of the understanding that you would have attached a log from what it found. My usual instructions for running this tool would be:

How exactly did you proceed when running the tool, do you recall? :confused

 

Hmm, I just hope whatever it removed has gone for good. If you are confident all is well then you can follow final steps.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Do you have a C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip? If so could you attach it here please?

 

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  volsnap*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Good, my curiosity has been satisfied. Thanks for sticking it out! Did not have to nuke and pave after all huh.

 

I can imagine your frustration, in fact I was feeling the same frustration! You're welcome. Glad you had patience enough to battle the bad with me.